Educating businesses and making them aware of their potential exposure is probably the biggest hurdle amongst insurance firms that want to provide cyber coverage to their clients.
Will the EU insurance industry be sufficiently protected, from a legislative perspective, by the NIS Directive 1148/2016 and the GDPR Regulation 679/2016?
Traditional insurance policies are inadequate to cover against damages arising out of a cyber-attack. For example, general liability policies usually exclude coverage for losses due to cyber-attacks. Marine insurance policies incorporate the Institute Cyber Attack Exclusion Clause CL380, developed by the Institute of London Underwriters (ILU) in November 2003.
Marine yard covers for ship builders also include the CL380 clause. Property insurance policies do not include malware and distributed denial-of-service attacks as ‘named perils’ and they are usually excluded or simply not covered. Crime insurance policies generally cover only for tangible property, not loss of data. Error-and-omissions insurance often requires negligence in professional services and generally does not cover costs of regulatory actions.
It is essential that a comprehensive cyber policy would include the following:
- Network-security liability
- Privacy liability
- Electronic-media content liability
- Regulatory defense and penalties
- Network extortion
- Network business interruption
- Data-breach event expenses
- Data asset protection
From a loss prevention perspective, the following areas should be gradually developed and offered to the assureds:
- Cyber-security risk assessments
- Proactive dark web monitoring
- Vendor security ratings
- Services to identify malicious IP addresses
- Insurance company mobile apps providing real-time threat sharing and best practices
- Online employee education and training